Microsoft urges patching for RDP vulnerability

Windows users are being urged to install a patch for a critical flaw in Windows' Remote Desktop Protocol which can lead to remote code execution.

Microsoft is warning Windows users the world over to apply the security patch released yesterday as soon as possible, following the discovery of a flaw in the Remote Desktop Protocol (RDP) server.

Security Update MS12-020, released as part of the monthly Patch Tuesday update cycle yesterday, is rated 'critical' by the organisation and addresses a serious flaw with the server used to provide remote access to Windows-based systems.

The company has warned that the flaw allows an attacker to exploit any Windows system running the RDP service over the network, and potentially over the internet providing RDP access is permitted through the firewall as is common for remote access. Worse still, the flaw can be exploited before authentication is requested and allows for remote code execution under the 'system' privilege level, giving attackers full and unrestricted access to the underlying operating system.

According to Microsoft, the flaw was privately reported by researcher Luigi Auriemma via TippingPoint's Zero Day Initiative and is not known to be under active use by ne'er-do-wells in the wild. However, the company warns that is likely to change in the none-too-distant future. 'Developing a working exploit will not be trivial – we would be surprised to see one developed in the next few days,' the company states in a threat analysis. 'However, we expect to see working exploit code developed within the next 30 days.'

As a result of the seriousness of the threat, mitigated only by the fact that the RDP service is disabled by default on most Windows systems, Microsoft is urging users to apply the update as soon as possible. Where that's not an option, Microsoft is asking users to enable Network Level Authentication (NLA) on Windows Vista and later to require the attacker to successfully authenticate before exploitation can take place. Doing so, however, will prevent clients on Windows XP, Windows Server 2003 and older from connecting to the RDP server.

'We urge you to promptly apply this security update,' the company concludes. 'We also encourage you to consider how you might harden your environment against unauthenticated, attacker-initiated RDP connections.'